The Polaris Bug Bounty Program
The Polaris Bug Bounty Program Terms and Conditions ("Terms") cover your participation in the Polaris Bug Bounty Program (the "Program"). These Terms are between you and Polaris LLC ("Polaris," "us" or "we"). When you submit any vulnerabilities to Polaris or otherwise participate in the Program in any manner, you are hereby accepting these Terms.
The Program allows users to submit vulnerabilities and other exploitation techniques ("Vulnerabilities") to Polaris about eligible Polaris products and services ("Products") for a chance to earn ("Bounty") rewards in an amount determined by Polaris in its sole discretion. Typically, the amounts can range from $50 up to $750 or more depending upon our sole evaluation of the severity of the vulnerability found. The decisions made by Polaris regarding Bounties are final and not subject to negotiation. For any reason Polaris may change or cancel this Program at any time.
CHANGES TO THESE TERMS
We may alter these Terms at any time. Participating in the Program after the changes become effective means you agree to the new Terms. If you disagree with the new Terms, you can not participate.
If you wish to opt-out of the Program, contact us at email@example.com. Opting out will not affect any licenses granted to Polaris in any Submissions already provided by you.
You are eligible to participate in the Program if you meet all of the following conditions:
- You are 18 years of age or older; and
- You are either an individual researcher participating in your own individual capacity, or you work for an organization that permits you to participate. You are responsible for reviewing your employer's rules for participating in this Program.
You are not eligible to participate in the Program if you meet any of the following criteria:
- You are a resident of any countries under U.S. sanctions https://home.treasury.gov/policy-issues/financial-sanctions/sanctions-programs-and-country-information
- or any other country that does not allow participation in this type of program;
- You are under the age of 18;
- Your organization forbids you to participate in these types of programs;
THE PROCESS & SUBMISSION VULNERABILITY DISCLOSURE
If you have identified a Vulnerability that meets the applicable requirements set forth in the Program Terms, you may submit it to Polaris in accordance with the following process:
Each Vulnerability submitted to Polaris shall be a "Submission." Submissions must be sent to firstname.lastname@example.org. In the initial email, specify that you are submitting under Bounty Program, the Vulnerability details, and specific URLs you used to validate your research. Please also include as much detail as possible:
Submission Vulnerability Disclosure:
- Issue Type (buffer overflow, SQL injection, cross-site scripting, etc.)
- URL or pattern containing the bug
- Any unique configuration used to reproduce the issue
- Proof-of-concept or exploited code
- Impact of the exploit, including how an attacker could take advantage of the issue
You must follow Submission Vulnerability Disclosure (“SVD”) when reporting all Vulnerabilities to Polaris. Submissions that do not follow SVD may not be eligible for Bounties and not following SVD could disqualify you from participating in the Program in the future.
Based on the detail of your Submission, Polaris may award a Bounty of varying scale. Well-written reports and functional exploits are most likely to result in Bounties. Those Submissions that do not meet the minimum bar described herein are considered incomplete and not eligible for Bounties.
Polaris is not responsible for Submissions that we do not receive for any reason. If you do not receive a confirmation email after making your Submission, notify Polaris at email@example.com to ensure your Submission was received.
If you submit a Vulnerability for a product or service that is not covered by the Program at the time you submitted it, you will not be eligible to receive Bounty payments if the product or service is later added to the Program.
Polaris is not claiming any ownership rights to your Submission. However, by providing any Submission to Polaris, you:
- grant Polaris the following non-exclusive, irrevocable, perpetual, royalty free, worldwide, sub-licensable license to the intellectual property in your Submission: (i) to use, review, assess, test, and otherwise analyze your Submission; (ii) to reproduce, modify, distribute, display and perform publicly, and commercialize and create derivative works of your Submission and all its content, in whole or in part; and (iii) to feature your Submission and all of its content in connection with the marketing, sale, or promotion of this Program or other programs (including internal and external sales meetings, conference presentations, tradeshows, and screen shots of the Submission in press releases) in all media (now known or later developed);
- agree to sign any documentation that may be required for us or our designees to confirm the rights you granted above;
- acknowledge that Polaris may have developed or commissioned materials similar or identical to your Submission, and you waive any claims resulting from any similarities to your Submission;
- You are not guaranteed any compensation or credit for use of your Submission; and
- You warrant that your Submission is your own work, that you haven't used information owned by another person or entity, and that you have the legal right to provide the Submission to Polaris.
CONFIDENTIALITY OF SUBMISSIONS/ RESTRICTIONS ON DISCLOSURE
We endeavor to address each Vulnerability report in a timely manner. While we are doing that we require that Bounty Submissions remain confidential and cannot be disclosed to third parties or the general public. You can make available high-level descriptions of your research and non-reversible demonstrations after the Vulnerability is fixed. We require that detailed proof-of-concept exploit code and details that would make attacks easier on customers be withheld for 30 days after the Vulnerability is fixed. Polaris will notify you when the Vulnerability in your Submission is fixed. You may be paid prior to the fix being released and payment should not be taken as notification of fix completion. VIOLATIONS OF THIS SECTION WILL DISQUALIFY YOU FROM PARTICIPATING IN THE PROGRAM IN THE FUTURE.
SUBMISSION REVIEW PROCESS
After a Submission, Polaris engineers will review the Submission and determine its eligibility. The review time will depend on the complexity and completeness of your Submission, as well as on the number of already submitted Submissions.
Polaris retains sole discretion in determining which Submissions are qualified, according to the rules set forth in these Terms. If we receive multiple bug reports for the same issue from different parties, the Bounty will be granted to the first eligible Submission. If a duplicate report provides new information that was previously unknown to Polaris, we may award a differential to the person submitting the duplicate report.
ISSUES THAT DON’T QUALITY FOR BOUNTY PAYMENTS
- Descriptive error messages (e.g. Stack Traces, application or server errors).
- HTTP 404 codes/pages or other HTTP non-200 codes/pages.
- Banner disclosure on common/public services.
- Disclosure of known public files or directories, (e.g. robots.txt).
- Clickjacking and issues only exploitable through clickjacking.
- CSRF on forms that are available to anonymous users (e.g. the contact form).
- Logout Cross-Site Request Forgery (logout CSRF).
- Presence of application or web browser ‘autocomplete’ or ‘save password’ functionality.
- Lack of Secure and HTTPOnly cookie flags.
- Lack of Security Speedbump when leaving the site.
- Weak Captcha / Captcha Bypass
- Username enumeration via Login Page error message
- Username enumeration via Forgot Password error message
- Login or Forgot Password page brute force and account lockout not enforced.
- OPTIONS / TRACE HTTP method enabled
- SSL Attacks such as BEAST, BREACH, Renegotiation attack
- SSL Forward secrecy not enabled
- SSL Insecure cipher suites
- The Anti-MIME-Sniffing header X-Content-Type-Options
- Missing HTTP security headers
The Decisions on Bounties are final and binding.
If your Submission is eligible for a Bounty under the applicable Terms, we will notify you of the Bounty amount and provide you with the required paperwork to process your payment.
We will consider the eligible submitter to be the authorized account holder of the email address used to enter the Program.
Before receiving a Bounty, you are required to complete and submit an Internal Revenue Service tax form (e.g., Form W-9, W-8BEN, 8233) within 30 calendar days of notification of validation. If you do not complete the required forms as instructed or do not return the required forms within the time period listed on the notification message, we may not provide payment. We cannot process payment until you have completed and submitted the fully executed required documentation.
If your Submission qualifies for a Bounty, please note:
- you may not designate someone else as the Bounty recipient
- if you are unable or unwilling to accept your Bounty, we reserve the right to rescind it; and
- if you accept a Bounty, you will be solely responsible for all applicable taxes related to accepting the payment(s).
CODE OF CONDUCT
By participating in the Program, you will follow these rules:
- Don’t do anything illegal.
- Don't send spam. Spam is unwanted or unsolicited bulk email, postings, contact requests, SMS (text messages), or instant messages.
- Don't share inappropriate content or material.
- Don't engage in activity that is false or misleading.
- Don't engage in activity that is harmful to you, the Program, or others.
- Don't infringe upon the rights of others or engage in activity that violates the privacy of others.
- Don't help others break these rules.
If you violate these Terms, you may be prohibited from participating in the Program in the future and any Submissions you have provided may be deemed to be ineligible for Bounty payments.
POLARIS, AND OUR AFFILIATES, RESELLERS, DISTRIBUTORS, AND VENDORS, MAKE NO WARRANTIES, EXPRESS OR IMPLIED, GUARANTEES OR CONDITIONS WITH RESPECT TO THE PROGRAM. YOU UNDERSTAND THAT YOUR PARTICIPATION IN THE PROGRAM IS AT YOUR OWN RISK. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAW, WE EXCLUDE ANY IMPLIED WARRANTIES IN CONNECTION WITH THE PROGRAM. YOU MAY HAVE CERTAIN RIGHTS UNDER YOUR LOCAL LAW. NOTHING IN THESE TERMS IS INTENDED TO AFFECT THOSE RIGHTS, IF THEY ARE APPLICABLE.
LIMITATION OF LIABILITY
You can't recover any damages or losses related to this Program, including direct, consequential, lost profits, special, indirect, incidental, or punitive.
These Terms are the entire agreement between you and Polaris for your Participation in the Program. It supersedes any prior agreements between you and Polaris regarding your participation in the Program. All parts of these Terms apply to the maximum extent permitted by relevant law. If a court holds that we can't enforce a part of these Terms as written, we may replace those terms with similar terms to the extent enforceable under the relevant law, but the rest of these Terms won't change.
Other than your Submission, Polaris does not consider or accept unsolicited proposals or ideas, including without limitation ideas for new products, technologies, promotions, product names, product feedback and product improvements ("Unsolicited Feedback"). If you send any Unsolicited Feedback to Polaris through the Program or otherwise, Polaris makes no assurances that your ideas will be treated as confidential or proprietary.